Before reporting an issue

[X] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

organizations

Describe the bug

Prerequisite: Realm UserA is member of OrganizationA and OrganizationB . There are no identity providers configured.

1. Login from SPA with browser flow (scope: organization) - You will be presented the 'select organization' page. The token will look like this when logged in:

```
"scope": "openid profile organization email",
"organization":

{ {code}
"OrganizationA": { "id": "a04e856c-ff80-4829-9f10-a51784cc00a4" } {code}
},
```

2. From the SPA request another access_token using 'codeFlow' with a specific, different organization scope: organization:OrganizationB. The token will now look like this:

```
"scope": "openid profile organization:OrganizationB email",
"organization": {{code}

"OrganizationA":

{ "id": "a04e856c-ff80-4829-9f10-a51784cc00a4" } {code}

},
```

=> The claim organization:OrganizationA does not match the requested scope organization:OrganizationB.

Technically this is due to the ClientNote set by the OrganizationAuthenticator which causes the organization in the protocol mapper to be pinned to organization:OrganizationA regardless of the scope that has been requested.

Version

26.0.7

Regression

[ ] The issue is a regression

Expected behavior

The returned claim matches the requested scope.

Actual behavior

The returned claim is pinned to the organization set in the clientNote by the OrganizationAuthenticator.

How to Reproduce?

1. Select an organization during login with scope organization.
2. Request another token with scope organization:differentOrganization from the same client (SPA).

Anything else?

Everything works as expected if you login using an explicit organization:OrganizationA scope in the first place. Because then the clientNote is never set.